MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 558e80fb074836c42b5d54d3f20839f1eaab3d8168d0fc4aae1435231e0d359e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Nitol

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	558e80fb074836c42b5d54d3f20839f1eaab3d8168d0fc4aae1435231e0d359e
SHA3-384 hash:	082480bbabb29f9b7e9b62859024b0529402f75f5e7844f3de4e405adef7f3b2b30ab2c193fb79afe19e320bc4a85541
SHA1 hash:	26337d29590fcf03be19f1afb0fdda66e53bd8da
MD5 hash:	c6e5abd2b25c38c7f5b94498565f7d6b
humanhash:	butter-seventeen-whiskey-berlin
File name:	c6e5abd2b25c38c7f5b94498565f7d6b.exe
Download:	download sample
Signature	Nitol Create hunting rule
File size:	1'200'128 bytes
First seen:	2023-03-25 14:49:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f1a64848e5c92cb94dc8325141eb7c04 (1 x Nitol)
ssdeep	24576:i7+jI5iB5Rg/IkBd16JSsvB5h8/rmOWn:n3kBd4vaNWn
Threatray	40 similar samples on MalwareBazaar
TLSH	T1B54523B11BC68422D7D28F3CC866D3617FBAA40080485A1BF250A93DDC3BBE1B99557F
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4505/5/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	exe Nitol

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

PurpleFox

ID:

File name:

c6e5abd2b25c38c7f5b94498565f7d6b.exe

Verdict:

Malicious activity

Analysis date:

2023-03-25 14:51:24 UTC

Tags:

PurpleFox

Link:

https://app.any.run/tasks/5136c8bd-87f9-4ca9-8f6e-684e1f80a569

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Nitol

Link:

https://www.capesandbox.com/analysis/377421/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

farfli overlay packed

Link:

https://www.filescan.io/uploads/641f0a1d6ed02dd52de55c74/reports/d7ba92c5-ca24-4e73-ba68-adc5e9013573/overview

Verdict:

Malicious

Labled as:

Jaik.Generic

Link:

https://www.hybrid-analysis.com/sample/558e80fb074836c42b5d54d3f20839f1eaab3d8168d0fc4aae1435231e0d359e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4a44b2ad-934d-47c1-925f-8521ae74b289

Result

Threat name:

GhostRat, Nitol

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1201889

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected VMProtect packer

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample is protected by VMProtect

Snort IDS alert for network traffic

Yara detected GhostRat

Yara detected Nitol

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/558e80fb074836c42b5d54d3f20839f1eaab3d8168d0fc4aae1435231e0d359e/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2023-03-25 14:50:09 UTC

File Type:

PE (Exe)

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kwhib6yhja3mik25ktj7ecbz6hvkwpmbndipysvocq2sghqngwpa._file

Verdict:

malicious

Nitol

345bc898a1a5dd6bd1158a505bd0dc530b1202d49c77d8b00fa94064ef6e79ff

Nitol

48747eb42f528ee4a9fab6fdac0e431a2cc6e4ba6ba10fcf62211c959e102efb

Nitol

5ef75cab5654d09db58080a7b4e566057f23601b509e8dff460fbbd511307655

Nitol

816a070a221056e61d0dadd4f5cabab3c96394da789e19c7950b170cd128effa

Nitol

99d3fd0263ed9be1308ae21e0a702a8255e093db24cab4b4bba6f02467aaabfe

Nitol

f7cddf2a6a564379b1b78a3b23b583da77b23c4947ac9358411a128a918a429d

Nitol

+ 30 additional samples on MalwareBazaar

Result

Malware family:

gh0strat

Score:

10/10

Tags:

family:gh0strat rat vmprotect

Link:

https://tria.ge/reports/230325-r7kwqadb74/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Enumerates connected drives

VMProtect packed file

Gh0st RAT payload

Gh0strat

Malware Config

C2 Extraction:

3005.qmananan.com

Unpacked files

SH256 hash:

558e80fb074836c42b5d54d3f20839f1eaab3d8168d0fc4aae1435231e0d359e

MD5 hash:

c6e5abd2b25c38c7f5b94498565f7d6b

SHA1 hash:

26337d29590fcf03be19f1afb0fdda66e53bd8da

Link:

https://www.unpac.me/results/2b9fdb23-bf4e-44e9-8133-27496171b4bd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.15

Link:

https://yomi.yoroi.company/submissions/558e80fb074836c42b5d54d3f20839f1eaab3d8168d0fc4aae1435231e0d359e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	MALWARE_Win_Nitol Create hunting rule
Author:	ditekSHen
Description:	Detects Nitol backdoor

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Nitol

exe 558e80fb074836c42b5d54d3f20839f1eaab3d8168d0fc4aae1435231e0d359e

(this sample)

Cape

https://www.capesandbox.com/analysis/377421/

URLhaus

https://urlhaus.abuse.ch/url/2573699/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample